Devices and Methods for Securing Communication Between a Sensor and a Device

ABSTRACT

The present disclosure relates to a method, implemented by a sensor e.g. being used in a Recreational Vehicle monitoring and control system, for securing communication between the sensor and a device which is separate and distinct from the sensor. The method comprises receiving, from a control device, an identifier of the sensor and a request for an address of the sensor and a key for the sensor. The identifier of the sensor is to be related to the address and the key for the sensor. The method further comprises generating the key for the sensor. The generated key is to be used for verifying data integrity of sensor data transmitted from the sensor. Thereafter, the method comprises transmitting, to the control device, a message comprising the address and the generated key for the sensor.

CROSS REFERENCE TO RELATED APPLICATIONS

This 35 U.S.C. § 371 National Stage Patent application claims priority to and benefit of PCT Patent Application No. PCT/EP2021/075391, filed Sep. 15, 2021, which claims priority to and benefit of EP 20197023.3, filed Sep. 18, 2020, all of which is incorporated herewith.

TECHNICAL FIELD

The present disclosure relates to the field of communication between a sensor and a device. More specifically, the present disclosure relates to devices as well as methods for securing communication between a sensor and a device.

The sensor may advantageously, but not necessarily, be used in a Recreational Vehicle (RV) monitoring and control system, i.e. a system that may use sensor data as input in order to monitor and control function(s) of a Recreational Vehicle (RV).

BACKGROUND

A sensor is a device that measures, or detects, some type of input within its physical environment. The input may be any one of a great number of environmental phenomena and may be, for example, light, temperature, speed, distance, moisture and pressure. Generally, the sensor converts the detected, or measured, input to an electronic signal. The electronic signal may be converted into human-readable information at the sensor location or transmitted electronically over a network for reading or further processing at a distant location. By transmitting the detected or measured input to a distant location, the sensor data may be used by other devices for taking decisions and/or controlling functions based on the received sensor data.

With decreased costs for sensors, sensors are used more and more to receive information that otherwise would have been unknown. By using sensors, it may be possible for a user to view a certain type of sensor input and it may furthermore be possible to use the sensor input for subsequent decisions and/or actions. However, if the sensor input is not correct or if the sensor input is fraudulent, this may lead to damages. In such cases, subsequent decisions and/or actions may be controlled based on incorrect assumptions. For example, if a sensor input does not correspond to a real value of a measured parameter, an incorrect function may be controlled instead of the correct function. Alternatively, the correct function may be controlled, but in an incorrect way. Accordingly, incorrect subsequent decisions and/or actions may lead to unnecessary actions and/or damages. This may result in unduly high costs. Thus, in order to avoid such costs and to prevent damages on person and/or equipment, it is important that a sensor input data actually correspond to the value it is believed to represent.

SUMMARY

In order to achieve a way for securing communication between a sensor and a device, the inventors of the various embodiments have realized, after inventive and insightful reasoning, that it has to be possible to verify data that is transmitted between the sensor and the device. The inventors have realised that this may be achieved by using a key, which is shared between the sensor and the device. The key may be used to verify the data integrity of the sensor data transmitted from the sensor. The key may be, for example, an encryption key. By using the key, it may be ensured that sensor data received from a certain sensor actually correspond to data received from that particular sensor and that the value of the sensor data actually corresponds to the value it is believed to represent. Thus, it is ensured that the received information is the same information as was transmitted from the sensor and it is possible to confirm from which sensor the information was received.

In view of the above, it is therefore a general object of the aspects and embodiments described throughout this disclosure to provide a way of verifying data integrity of sensor data from a sensor.

This general object has been addressed by the appended independent claims. Advantageous embodiments are defined in the appended dependent claims.

According to a first aspect, there is provided a method, implemented by a sensor, for securing communication between the sensor and a device, which is separate and distinct from the sensor.

In one exemplary embodiment, the method comprises receiving, from a control device, an identifier of the sensor and a request for an address of the sensor and a key for the sensor. The identifier of the sensor is to be related to the address and the key for the sensor. The method further comprises generating, as a response to the received request, the key for the sensor. The generated key is to be used for verifying data integrity of sensor data transmitted from the sensor. Thereafter, the method comprises transmitting, to the control device, a message comprising the address of the sensor and the generated key for the sensor.

In some embodiments, the method further comprises transmitting sensor data to the device. The sensor data is transmitted with a sequence number and a checksum encrypted with the generated key for the sensor. The address of the sensor may be a Media Access Control address (MAC) address and the encrypted checksum may be a keyed-hash message authentication code (HMAC).

In some embodiments, the method further comprises storing the generated key for the sensor together with the received identifier of the sensor.

In some embodiments, the method further comprises receiving, from the control device, a message configuring the sensor to transmit sensor data periodically to the device.

In some embodiments, the address of the sensor and the key for the sensor are transmitted to the device using Near Field Communication (NFC).

In some embodiments, the sensor is used in a Recreational Vehicle (RV) monitoring and control system.

According to a second aspect, there is provided a method, implemented by a control device, for securing communication between a sensor and a device, which is separate and distinct from the sensor.

In one exemplary embodiment, the method comprises transmitting, to the sensor, an identifier of the sensor and a request for an address of the sensor and a key for the sensor. The identifier of the sensor is to be related to the address and the key for the sensor. The method further comprises receiving, from the sensor, a message comprising the address of the sensor and the generated key for the sensor.

In some embodiments, the method further comprises storing the received key for the sensor together with the received address and the identifier of the sensor.

In some embodiments, the method further comprises transmitting, to the sensor, a message configuring the sensor to transmit sensor data periodically to the device.

In some embodiments, the method further comprises receiving sensor data from the sensor. The sensor data is received with a sequence number and a checksum encrypted with the generated key for the sensor. The address of the sensor may be a MAC address and the encrypted checksum may be a HMAC.

In some embodiments, the address of the sensor and the key for the sensor are received from the sensor using NFC.

In some embodiments, the control device is used in a RV monitoring and control system.

In some embodiments, the method further comprises transmitting a whitelist message to the device, wherein the whitelist message comprises the identifier for the sensor together with the key for the sensor and the address of the sensor.

According to a third aspect, there is provided a sensor for securing communication between the sensor and a device. The device is separate and distinct from the sensor. The sensor implementing the method according to the first aspect.

In one exemplary embodiment, the sensor is configured to receive, from a control device, an identifier of the sensor and a request for an address of the sensor and a key for the sensor. The identifier of the sensor is to be related to the address and the key for the sensor. The sensor is further configured to generate, as a response to the received request, the key for the sensor. The key is to be used for verifying data integrity of sensor data transmitted from the sensor. The sensor is further configured to transmit, to the control device, a message comprising the address of the sensor and the generated key for the sensor.

In some embodiments, the sensor is further configured to transmit sensor data to the device. The sensor data is transmitted with a sequence number and a checksum encrypted with the generated key for the sensor. The address of the sensor may be a MAC address and the encrypted checksum may be a HMAC.

In some embodiments, the sensor is further configured to store the generated key for the sensor together with the received identifier of the sensor.

In some embodiments, the sensor is further configured to receive, from the control device, a message configuring the sensor to transmit sensor data periodically to the device.

In some embodiments, the address of the sensor and the key for the sensor are transmitted to the device using NFC.

In some embodiments, the sensor is used in a RV monitoring and control system.

According to a fourth aspect, there is provided a control device for securing communication between a sensor and a device. The device is separate and distinct from the sensor. The control device implementing the method according to the second aspect.

In one exemplary embodiment, the control device is configured to transmit, to the sensor, an identifier of the sensor and a request for an address of the sensor and a key for the sensor. The identifier of the sensor is to be related to the address and the key for the sensor. The control device is further configured to receive, from the sensor, a message comprising the address of the sensor and the generated key for the sensor.

In some embodiments, the control device is further configured to store the received key for the sensor together with the received address and the identifier of the sensor.

In some embodiments, the control device is further configured to transmit, to the sensor, a message configuring the sensor to transmit sensor data periodically to the device.

In some embodiments, the control device is further configured to receive sensor data from the sensor. The sensor data is received with a sequence number and a checksum encrypted with the generated key for the sensor. The address of the sensor may be a MAC address and the encrypted checksum may be a HMAC.

In some embodiments, the address of the sensor and the key for the sensor are received from the sensor using NFC.

In some embodiments, the control device is used in a RV monitoring and control system.

In some embodiments, the control device is further configured to transmit a whitelist message to the device. The whitelist message comprises the identifier for the sensor together with the key for the sensor and the address of the sensor.

According to a fifth aspect of the present disclosure, the object is achieved by a computer program comprising instructions, which when executed by a processor, causes the processor to perform actions according to any of the methods according to the first and the second aspects.

According to a sixth aspect of the present disclosure, the object is achieved by a carrier comprising the computer program of the fifth aspect, wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.

Some of the above embodiments eliminate or at least reduce the problems discussed above. By generating a key, which is shared between the sensor and the device, it is possible to verify the integrity of data received from a sensor. It is possible ensure that the received sensor data actually is received from the sensor, from which it is believed to be received. Also, it is possible to ensure that the sensor data actually corresponds to the value it is believed to represent. Thus, devices and methods, which may ensure secure communication between sensors and devices, are provided herein.

BRIEF DESCRIPTION OF DRAWINGS

These and other aspects, features and advantages will be apparent and elucidated from the following description of various embodiments, reference being made to the accompanying drawings, in which:

FIG. 1 a shows a flowchart of an example method performed by a sensor;

FIG. 1 b is a signalling diagram according to an embodiment;

FIG. 2 a is a schematic drawing illustrating a sensor according to embodiments herein;

FIG. 2 b shows an example of data transmitted from a sensor;

FIG. 3 shows an overview of a recreational vehicle;

FIG. 4 shows a flowchart of an example method performed by a control device;

FIG. 5 is a schematic drawing illustrating a control device according to embodiments herein; and

FIG. 6 shows a schematic view of a computer system.

DETAILED DESCRIPTION

The disclosed embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments are shown. The embodiments may be provided in many different forms and should not be construed as limited to those set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the claims to those skilled in the art. Like numbers refer to like elements throughout.

The disclosure presented herein concerns methods and devices for securing communication between a sensor and a device. The device is separate and distinct from the sensor, i.e. the device is another device than the sensor and the device may be located at another location than the sensor. The device may be any type of device that may communicate with the sensor. Examples of such devices may be control devices and interacting hubs. The disclosure presented herein concerns a sensor and a method, implemented by the sensor, for securing communication between the sensor and a device. The disclosure presented herein further concerns a control device and a method, implemented by the control device, for securing communication between a sensor and a device.

The present disclosure according to the aspect of the sensor 200 is now going to be described with reference to FIGS. 1 a and 1 b and FIG. 2 . FIG. 1 a shows a flowchart of an example method 100 performed by a sensor 200 and FIG. 1 b is a signalling diagram according to the present disclosure. FIG. 2 is a schematic drawing illustrating the sensor 200 according to embodiments presented herein.

The sensor 200 according to the present disclosure may be any type of sensor configured to measure and/or detect sensor input data. The sensor 200 is configured to perform the method 100 illustrated in FIG. 1 a . As illustrated in FIG. 2 a , the sensor 200 comprises at least one processor 210. The at least one processor 210 may be embodied as software, e.g. in a cloud-based solution, or the at least one processor 210 may be embodied as a hardware controller. It may be implemented using any suitable, publicly available processor. The at least one processor 210 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer readable storage medium (disk, memory etc.) to be executed by such a processor. The processor 210 may be configured to read instructions from a memory 220 and execute these instructions to secure communication between the sensor 200 and a device 102, 500. The memory 220 may be implemented using any commonly known technology for computer-readable memories such as ROM, RAM, SRAM, DRAM, FLASH, DDR, SDRAM or some other memory technology.

As illustrated in FIG. 2 a , the sensor 200 may further comprise at least one transmitter 261 configured to transmit data and/or sensor data to a control device 500 and/or at least one device 102. The sensor 200 may further comprise at least one receiver 262 configured to receive data from the control device 500. The sensor 200 may further comprise a power source 270 such as a battery. The power source 270 may ensure that the processor 210 have enough power to perform the method 100 according to the present disclosure. The sensor 200 may further comprise at least one physical and/or biological sensing unit 280. This at least one unit 280 may be configured to sense, measure and/or detect the input, e.g. a physical parameter, within its physical environment. This input may thereafter be forwarded as sensor data 250.

As also illustrated in FIGS. 1 a and 1 b , the method 100 implemented by the sensor 200 begins with step 110 of receiving, from a control device 500, an identifier of the sensor 200 and a request for an address of the sensor 200 and a key for the sensor 200. The received identifier is an identifier given to the sensor 200 by the control device 500 and may be used to distinguish the sensor 200 from other sensors. The identifier may be a name given by the control device 500 and the identifier may thus, in some embodiments, be a given name. The identifier of the sensor 200 is to be related to the address of the sensor 200 and the key for the sensor 200. The address of the sensor 200 is unique and represents the sensor identity. The address may be, for example, a Media Access Control (MAC) address. The requested key for the sensor 200 may be an encryption key. The encryption key may be used to encrypt data with.

As a response to the received request, the method 100 continues with step 120 of generating the key for the sensor 200. The generated key is to be used for verifying data integrity of the sensor data transmitted from the sensor 200 and is to be shared between the sensor 200 and the device 102, 500 that is intended to receive data from the sensor 200. By verifying the data integrity of the sensor data, it may be ensured that the sensor data really is transmitted from the sensor 200 and it may be possible to know exactly from what sensor 200 the information has been received. Additionally, it may be ensured that the sensor data really corresponds to the data it is believed to represent. The key will ensure that information received from the sensor 200 is the same information that was transmitted from the sensor 200. Thus, the generated key is a unique key, which is associated with the specific sensor 200 and may only be used with sensor data received from that sensor 200.

Furthermore, the generated key may be used for sensor origin authentication. When sensor data is received from a sensor 200, it may be ensured that the received sensor data can be trusted. Sensor data originating from any sensor 200 that is configured according to the present disclosure may be verified by a receiving device 102, 500 as long as the device 102, 500 is in possession of the generated key. How this may be performed is described more in detail later.

In some embodiments, the sensor 200 may additionally store the generated key together with the identifier, illustrated as step 130 in FIGS. 1 a and 1 b . By storing the generated key together with the identifier, it may be known to the sensor 200 that the stored key is to be used with sensor data transmitted under the specific given identifier.

When the key for the sensor 200 has been generated, the method 100 continues with step 140 of transmitting, to the control device 500, the generated key for the sensor 200 in a message together with the address of the sensor 200. Thus, the control device 500 will receive the key, which may be used for verifying the correctness of the sensor data received from the sensor 200. Furthermore, as the given sensor identifier is associated with the generated key and the address of the sensor 200, the generated key is linked to the specific sensor 200 and the key may verify the correctness of the data and confirm the source of the data, i.e. that the sensor data really is transmitted from that specific sensor 200. Thus, it may be verified, based on the generated key, that sensor data received from sensor 200 really is the data it is believed to represent.

Accordingly, the present disclosure provides a method 100, implemented in a sensor 200, for securing communication between the sensor 200 and a device 102, 500. With the proposed method 100 and the proposed sensor 200, a unique key is shared between the sensor 200 and the control device 500 such that the correctness of the data received from the sensor 200 may be verified. As the sensor data transmitted from the sensor 200 may be used for subsequent actions or decisions, it is important that the used data really is the intended data. Otherwise, subsequent actions or decisions may be performed based on incorrect data and consequently based on incorrect assumptions. The sensor data may be used to control functions such as, for example, ventilation functions, heater functions, climate control functions, water heater functions, vehicle battery management functions, light control functions and security alarm functions. If any of these functions are controlled based on data that does not correspond to the real value of a parameter measured by the sensor 200, the function may be controlled in an incorrect way. For example, if a security alarm function is controlled based on incorrect data, the security alarm function may not be triggered. When that happens, there is a major risk that damages may occur. This may lead to unnecessary costs, which additionally may be high. Thus, the proposed method 100 and sensor 200 ensure secure communication between the sensor 200 and the device 102, 500.

There may be different ways of protecting the exchange of the sensor's key between the sensor 200 and the control device 500. According to one example embodiment, the key of the sensor 200 may be exchanged between the sensor 200 and the device 500 using Near Field Communication (NFC). NFC is a set of short-range wireless technologies, typically requiring a separation of 10 cm or less. Due to the short-range, it may be difficult for anyone to undetected eavesdrop and steal the key. It may be appreciated that while NFC may be used for sharing the key between the sensor 200 and the control device, sensor data transmitted from the sensor 200 may be transmitted from the sensor 200 using any available wireless technology. In some embodiments, all transfer of information is performed over a secure channel. The secure channel may be provided either by proximity through NFC as previously described, or over an encrypted channel such as, for example, Bluetooth Low Energy (BLE) Generic Attribute Profile (GATT).

Additionally, or alternatively, the sensor 200 may protect the key during the transmittal with a pin code. The pin code used for protecting the key may have been received from the control device 500 together with the received request for the key. Alternatively, the pin code used for protecting the key may have been agreed upon between the sensor 200 and the control device 500 at an earlier time.

After that the key has been shared between the sensor 200 and the device 500, the sensor 200 may receive, from the control device 500 in step 150, a message configuring the sensor 200 to transmit sensor data periodically to the device 500, 102. Accordingly, the sensor 200 may receive a message that configures the sensor 200 to transmit its sensor data with a certain interval. The sensor data comprises the input data that the sensor 200 has detected or measured within the physical environment. In some embodiments, the sensor data may be transmitted to be received by the control device 500, which configured the sensor 200. In other embodiments, the sensor data may be transmitted to be received by device 102, which may be another device than the control device 500. Accordingly, in these embodiments, the control device 500 may configure the sensor 200 to periodically transmit sensor data that may be received by another device 102. The interval at which the sensor 200 may be configured to transmit sensor data may depend on the type of sensor data received from the sensor 200. For example, some data may be valuable to receive often, with an interval of seconds, while other data may not be necessary to receive that often. This data may be enough to receive with an interval of minutes or even hours. However, in order to keep the power consumption of the sensor 200 at a reasonable level, advertising intervals not smaller than approximately 5 seconds may be preferred.

After the sensor 200 has generated and forwarded the key to the control device 500, the method 100 may further comprise step 160 of transmitting sensor data to the device 102, 500. In some embodiments, the sensor 200 may be unaware of which device 500, 102 the transmitted sensor data is intended to be transmitted to. In such embodiments, the sensor data may be broadcasted without an address to the intended recipient. In other embodiments, the sensor 200 may be aware of which device 500, 102 the sensor data is intended to be transmitted to and in these embodiments, the sensor data may be transmitted exclusively to that device 102, 500.

The generated key shared between the sensor 200 and the device 102, 500 may be used in different ways to verify the correctness of the sensor data. In one embodiment, the key may be used to encrypt at least a part of the sensor data before the sensor data is transmitted from the sensor 200 to the device 102, 500. The encrypted said at least a part of the sensor data may not necessarily be the data measured by the sensor 200, the encrypted sensor data may be a part of the data that may be used for verification of the transmitted data. Regardless of which part of the sensor data that is encrypted, the encrypted sensor data may only be decrypted by a device 102, 500 that has access to the corresponding key that the data has been encrypted with. Examples relating to how the generated key may be used to verify the correctness of the sensor data is going to be described with reference to FIG. 2 b.

FIG. 2 b illustrates an example of transmitted sensor data 250. As illustrated in FIG. 2 b , the transmitted sensor data 250 may comprise a Protocol Data Unit (PDU) 236 of 2 to 39 bytes. A PDU is a single unit of information transmitted among peer entities of a computer network, here the sensor 200 and the device 102, 500. A PDU is composed of protocol-specific control information and user data. The PDU 236 may comprise a header 242 of 2 bytes, an address of 6 bytes and data 246 of 0 to 31 bytes. The data 246 of the sensor data 250 may comprise, in some embodiments as illustrated in FIG. 2 b , a checksum 252. In some embodiments, the checksum may be encrypted with the generated and shared key for the sensor 200. As is known in the art, a checksum is a sum derived from a block of digital data for detecting errors that may have been introduced during the transmission of the data 250. Thus, by encrypting the checksum 252 with the generated shared key, only a device 102, 500 in possession of such key may be able to verify the data integrity of the sensor data 250. Unauthorized reproduction and use of the checksum 252 may accordingly be prevented. Furthermore, by using an encrypted checksum 252, only the checksum 252 may have to be encrypted with the exchanged key. Not the complete sensor data 250 may have to be encrypted. By encrypting the checksum 252, the identity of the sensor 200 transmitting the sensor data 250 may be protected. The encrypted checksum 252 may be, for example, a keyed-hash message authentication code (HMAC). In such embodiments, the address of the sensor 200 may be, for example, a MAC address.

In some embodiments, the sensor data 250 may further comprise a sequence number 254. The sequence number 254 comprised in the sensor data 250 may be a number that increases each time the sensor 200 transmits sensor data 250. By including a sequence number 254 for the sensor data 250, man-in-the-middle attacks may be prevented, or at least reduced. It may not be possible to record and replay previous transmitted data 250 from the sensor 200, as the sequence number 254 in such cases most likely will not correspond to the sequence number expected by the receiving device 102, 500. In some embodiments, the sequence number 254 may additionally be encrypted with the generated key for the sensor 200.

The data protected by the proposed method 100 is illustrated in FIG. 2 b as TLV 256, wherein TLV stands for Type, Length and Value. The transmitted sensor data 250 may comprise one or more sets of data 256. What kind of data that is comprised within the at least one set of data 256 depends on the type of sensor 200. The data may comprise, for example temperature data, humidity data, barometric pressure data, light intensity data, air quality data, smoke detection data, gas level data, water level data, accelerometer data, passive IR data, proximity data, location data and virtual sensor data deducted from sensor data 250.

The proposed sensor 200 and method 100 may be used in any system, but according to one embodiment, the proposed sensor 200 and method 200 may be used with an actuator. An actuator is a component of a machine or device that is responsible for moving and controlling a mechanism or a system. The actuator may thus be responsible for controlling a function. Examples of such actuators may be, without limitation, an awning motor, a bilge pump, an RV levelling mechanism and an RV parking device. These actuators may take sensor data as input in order to control the particular function. Thus, the sensor data 250 is received from the sensor 200, which it is believed to be received from, and it is further important that the received sensor data 250 is the same data as was transmitted from the sensor 200, otherwise, there is a risk that the actuator may control the specific function in an incorrect way.

As previously described, the proposed sensor 200 and method 100 may be used in any system, but according to one embodiment, the sensor 200 and the method 100 may be used in a Recreational Vehicle (RV) monitoring and control system. An RV monitoring and control system is a system that may use sensor data 250 as input in order to monitor and control a plurality of functions of a RV or a recreational vessel. A recreational vessel is a vehicle that is used in water and mainly for recreational purposes. An RV is a motor vehicle, or trailer, which may be used for recreation and which includes living quarters designed for accommodation. RVs include motorhomes, campervans, caravans—also known as travel trailers and camper trailers, fifth-wheel trailers, popup campers and truck campers. An overview of such an RV 300 is illustrated in FIG. 3 .

As RVs 300 and recreational vessels may include many of the same functions as may be used in a house or an apartment, they may include a plurality of functions to be controlled by said RV monitoring and control system. These plurality of functions include functions such as HVAC (Heat, Ventilation and Air-Conditioning) related functions, security alarm functions, light control functions, etc. As the RV monitoring and control system may take sensor data 250 as input for controlling these functions, the functions are controlled by the correct input. It is important that received sensor data 250 corresponds to the value which it is believed to represent and is received from the particular sensor 200 from which it is believed to be received. Furthermore, as the RV monitoring and control system may receive a plurality of sensor data 250, directly from the sensor 200 or via an interacting hub, it is also important that the received sensor data 250 is not mixed up with any other sensor data. Accordingly, the RV monitoring and control system may be advantageous to use with the proposed sensor 200 and method 100.

The present disclosure according to the aspect of the control device is now going to be described with reference to FIG. 1 b , FIG. 4 and FIG. 5 . FIG. 4 shows a flowchart of an example method 400 performed by the control device 500. FIG. 5 is a schematic drawing illustrating the control device 500 according to embodiments presented herein.

The control device 500 according to the present disclosure may be any type of device configured to communicate with a sensor 200 and configured to perform the method 400 illustrated in FIG. 4 . The control device 500 is the device that begins and controls the sharing of the sensor key. The control device 500 may be e.g. a terminal such as a mobile phone or tablet, which may comprise an application, or app, used for the method 400. As illustrated in FIG. 5 , the control device 500 may comprise a graphical user interface 530. The graphical user interface 530 may make it easier for a user to interact with the control device 500. Furthermore, the graphical user interface 530 may be used by a user using the control device 500 to monitor the disclosed method 400.

As illustrated in FIG. 5 , the control device 500 comprises at least one processor 510. The at least one processor 510 may be embodied as software, e.g. in a cloud-based solution, or the at least one processor 510 may be embodied as a hardware controller. It may be implemented using any suitable, publicly available processor or Programmable Logic Circuit (PLC). The at least one processor 510 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer readable storage medium (disk, memory etc.) to be executed by such a processor. The processor 510 may be configured to read instructions from a memory 520 and execute these instructions to secure communication between the control device 500 and a sensor 200. The memory 520 may be implemented using any commonly known technology for computer-readable memories such as ROM, RAM, SRAM, DRAM, FLASH, DDR, SDRAM or some other memory technology.

The control device 500 may further comprise at least one transmitter 551 configured to transmit data to the sensor 200 and/or at least one device 102. The control device 500 may further comprise at least one receiver 552 configured to receive data from the sensor 200. The control device 500 may further comprise a power source 570 such as a battery. The power source 570 may ensure that the control device 500 may have enough power to perform the method 400.

As previously described, the methods 100 and 400 may be performed using NFC. NFC uses inductive coupling between two nearby loop antennas effectively forming an air-core transformer. The method 400 may thus begin when the control device 500 is placed on, or very close to, the sensor 200. In some embodiments, a user of the control device 500 may first choose and activate a sensor installation mode, e.g. the user may start the method 400 through an application of the control device 500 before the control device 500 is placed on, or close to, the sensor 200.

As also illustrated in FIGS. 1 b and 4, the method 400 begins with step 410 of transmitting, to the sensor 200, an identifier of the sensor 200 and a request for an address of the sensor 200 and a key for the sensor 200. The identifier of the sensor 200 is to be related to the address and the key for the sensor 200. The identifier of the sensor 200 may have been chosen by a user of the control device 500 and may thus e.g. be a given name. The user may have named the sensor 200 through an application on the control device 500 and may thus have chosen the identifier to be any name suitable for the sensor 200. Alternatively, the control device 500 may have automatically named the sensor 200 based on available information regarding the sensor 200.

As a response to the transmitted request, the method 400 further continues with step 420 of receiving, from the sensor 200, a message comprising the requested address of the sensor 200 and the generated key for the sensor 200.

The control device 500 may further be configured to store the received key for the sensor 200 together with the received address and the identifier of the sensor 200, corresponding to step 430 of the method 400. By storing the key with the address and the identifier, it may be ensured that the correct key is used for the sensor data 250 received from the corresponding sensor 200. In some embodiments, the control device 500 may receive sensor data 250 from a plurality of sensors. In such case, the correct key is related to the correct sensor 200.

In some embodiments, the method 400 may further comprise step 440 of transmitting, to the sensor 200, a message configuring the sensor 200 to transmit sensor data 250 periodically to the device 500, 102. Thus, the control device 500 may transmit a configuration to the sensor 200, which configures the sensor 200 to transmit data with certain intervals. The interval by which the sensor 200 may be configured to transmit the sensor data 250 may be specified, for example, by a user via the control device 500. In other embodiments, the interval may be determined automatically by the control device 500 depending on the type of sensor 200 communicating with the control device 500. For example, it may be more valuable to receive sensor data relating to temperature more often than sensor data 250 relating to a water level. Thus, a sensor configured to measure temperature data may be configured to transmit sensor data more often than a water level sensor.

Once the control device 500 has received the key for a specific sensor 200, the method 400 may further comprise step 460 of receiving sensor data 250 from the sensor 200. As previously described, with reference to FIG. 2 b , in some embodiments, the sensor data 250 may be received with a sequence number and a checksum encrypted with the generated key for the sensor 200. The address of the sensor may be a MAC address and the encrypted checksum may be a HMAC.

In case, the sensor data 250 is intended for another device 102 than the control device 500, the control device 500 may first have whitelisted the sensor 200 to that device 102. Thus, in some embodiments, the method 400 may further comprise step 450 of transmitting a whitelist message to the device 102. The whitelist message comprises the identifier for the sensor 200 together with the key for the sensor 200 and the address of the sensor 200. Thus, the control device 500 may be configured to communicate to other devices 102 that data received from the specified sensor 200 is approved and may be used for subsequent actions. By transmitting the given sensor name, the key, and the address of the sensor 200, the device 102 may receive the information needed for verifying the data integrity of the sensor data 250 received from the sensor 200. Accordingly, the device 102 may use the received key to verify the data integrity of data received from a sensor 200 matching the whitelisted given sensor name and address. The device 102 may then be configured to determine independently if the data is the expected data from the sensor 200. Thus, the control device 500 may distribute the key and the address of the sensor 200 to the devices 102 that are intended to receive data from the sensor 200. Accordingly, the sensor 200 does not have to exchange its key and address with other devices 102 than the control device 500. The sensor 200 may thus perform the so-called onboarding process once, with one device 500, but may still be possible to exchange data with several devices 102, 500. Furthermore, the control device 500 may keep control over which devices 102 that may be allowed to verify and thus use, the data received from the sensor 200. As previously described, the key may be exchanged using NFC in some embodiments. However, it may be appreciated that while NFC may be used during the onboarding process, the sensor data 250 may be transmitted using any available wireless technology.

The device 102, which may receive the whitelist message, may be any device, but in some embodiments, the device 102 may be an interacting hub, or a sensor hub. The interacting hub, or sensor hub, may be a device that verifies the integrity of the received sensor data 250 and then forwards it to other devices, which may use the sensor data 250. The interacting hub, or sensor hub, may be connected to several sensors 200 at the same time and may distribute, after the control device 500 has provided it with the sensor address, key and name, sensor data 250 between other devices.

The proposed control device 500 and method 400 may be used in any system, but according to one embodiment, the control device 500 and method 400 may be used in an RV monitoring and control system. As previously described, an RV monitoring and control system is a system that may take sensor data 250 as input for monitoring and controlling a plurality of functions of a RV 300 or a recreational vessel. As RVs and recreational vessels may include many functions which may be controlled by the RV monitoring and control system, the functions may be controlled based on the correct input. Further, received sensor data 250 may correspond to the value which it is believed to represent and the received sensor data 250 may be received from the particular sensor 200 from which it is believed to be received. Furthermore, the received sensor data 250 should not be mixed up with any other sensor data. Accordingly, the RV monitoring and control system may be advantageous to use with the proposed control device 500 and method 400.

Accordingly, the present disclosure provides methods and devices for securing communication between a sensor 200 and a device 102, 500. By providing a key, which may be used to verify data integrity of data received from the sensor 200, it may be assured that the data is the expected data and that the data really is received from the sensor 200.

In another aspect, the disclosure presented herein concerns a computer program comprising instructions, which when executed by a processor, causes the processor to perform actions according to any of the methods described with reference to FIGS. 1 a and 1 b and FIG. 4 .

In another aspect, the disclosure presented herein concerns a carrier comprising the computer program of the previously described aspect, wherein the carrier is one of an electronic signal, an optical signal, an electromagnetic signal, a magnetic signal, an electric signal, a radio signal, a microwave signal, or a computer-readable storage medium.

FIG. 6 is a block diagram illustrating an exemplary computer system 600 in which embodiments of the present embodiments may be implemented. This example illustrates a computer system 600 such as may be used, in whole, in part, or with various modifications, to provide the functions of the disclosed devices 200, 500. For example, various functions may be controlled by the computer system 600, including, merely by way of example, transmitting a given sensor name and a request for an address and a key of the sensor 200 and receiving the requested address and key.

The computer system 600 is shown comprising hardware elements that may be electrically coupled via a bus 690. The hardware elements may include one or more central processing units 610, such as the at least one processor 510, one or more input devices 620 (e.g., a mouse, a keyboard, etc.), and one or more output devices 630 (e.g., a display device, a printer, etc.). The computer system 600 may also include one or more storage device 660. By way of example, the storage device(s) 660 may be disk drives, optical storage devices, solid-state storage device such as a random-access memory (“RAM”) and/or a read-only memory (“ROM”), which can be programmable, flash-updateable and/or the like.

The computer system 600 may additionally include a computer-readable storage media reader 650, a communications system 660 (e.g., a modem, a network card (wireless or wired), an infrared communication device, Bluetooth™ device, cellular communication device, etc.), and a working memory 680, which may include RAM and ROM devices as described above. In some embodiments, the computer system 600 may also include a processing acceleration unit 670, which can include a digital signal processor, a special-purpose processor and/or the like.

The computer-readable storage media reader 650 can further be connected to a computer-readable storage medium, together (and, optionally, in combination with the storage device(s) 660) comprehensively representing remote, local, fixed, and/or removable storage devices plus storage media for temporarily and/or more permanently containing computer-readable information. The communications system 660 may permit data to be exchanged with a network, system, computer and/or other component described above.

The computer system 600 may also comprise software elements, shown as being currently located within the working memory 680, including an operating system 688 and/or other code 686. It should be appreciated that alternative embodiments of a computer system 600 may have numerous variations from that described above. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including portable software, such as applets), or both. Furthermore, connection to other computing devices such as network input/output and data acquisition devices may also occur.

Software of the computer system 600 may include code 686 for implementing any or all of the function of the various elements of the architecture as described herein. For example, software, stored on and/or executed by a computer system such as the system 600, can provide the functions of the disclosed system. Methods implementable by software on some of these components have been discussed above in more detail.

The present disclosure provides methods, devices, computer programs and carriers for securing communication between a sensor 200 and a device 102, 500. By providing a key, which may be used to verify data integrity of data received from the sensor 200, it may be assured that the data is the expected data and that the data really is received from the sensor 200. The present disclosure may be advantageous to use together with RV monitoring and control systems.

References to computer program, instructions, code etc. should be understood to encompass software for a programmable processor or firmware such as, for example, the programmable content of a hardware device whether instructions for a processor, or configuration settings for a fixed-function device, gate array or programmable logic device etc.

NUMBERED EXAMPLE EMBODIMENTS

The technology described throughout this disclosure thus encompasses without limitation the following numbered example embodiments:

-   -   NEE1. A method (100), implemented by a sensor (200), for         securing communication between the sensor (200) and a device         (102, 500) which is separate and distinct from the sensor (200),         the method (100) comprising:     -   receiving (110), from a control device (500), an identifier of         the sensor (200) and a request for an address of the sensor         (200) and a key for the sensor (200), wherein the identifier of         the sensor (200) is to be related to the address and the key for         the sensor (200);     -   generating (120), as a response to the received request, the key         for the sensor (200), wherein the generated key is to be used         for verifying data integrity of sensor data (250) transmitted         from the sensor (200); and     -   transmitting (140), to the control device (500), a message         comprising the address of the sensor (200) and the generated key         for the sensor (200).     -   NEE2. The method (100) according to embodiment NEE1, wherein the         method (100) further comprises:     -   transmitting (160) sensor data (250) to the device (102, 500),         wherein the sensor data (250) is transmitted with a sequence         number and a checksum encrypted with the generated key for the         sensor (200).     -   NEE3. The method (100) according to embodiment NEE2, wherein the         address of the sensor (200) is a Media Access Control, MAC,         address and the encrypted checksum is a keyed-hash message         authentication code, HMAC.     -   NEE4. The method (100) according to any of embodiments NEE1 to         NEE3, wherein the method (100) further comprises:     -   storing (130) the generated key for the sensor (200) together         with the received identifier of the sensor (200).     -   NEE5. The method (100) according to any of embodiments NEE1 to         NEE4, wherein the method (100) further comprises:     -   receiving (150), from the control device (500), a message         configuring the sensor (200) to transmit sensor data (250)         periodically to the device (102, 500).     -   NEE6. The method (100) according to any of embodiments NEE1 to         NEE5, wherein the address of the sensor (200) and the key for         the sensor (200) are transmitted to the device (102, 500) using         Near Field Communication, NFC.     -   NEE7. A method (400), implemented by a control device (500), for         securing communication between a sensor (200) and a device (102,         500) which is separate and distinct from the sensor (200), the         method (200) comprising:     -   transmitting (410), to the sensor (200) an identifier of the         sensor (200) and a request for an address of the sensor (200)         and a key for the sensor (200), wherein the identifier of the         sensor (200) is to be related to the address and the key for the         sensor (200); and     -   receiving (420), from the sensor (200), a message comprising the         address of the sensor (200) and the generated key for the sensor         (200).     -   NEE8. A sensor (200) for securing communication between the         sensor (200) and a device (102, 500), the sensor (200) being         configured to:     -   receive, from a control device (500), an identifier of the         sensor (200) and a request for an address of the sensor (200)         and a key for the sensor (200), wherein the identifier of the         sensor (200) is to be related to the address and the key for the         sensor (200);     -   generate, as a response to the received request, the key for the         sensor (200), wherein the key is to be used for verifying data         integrity of sensor data (250) transmitted from the sensor         (200); and     -   transmit, to the control device (500), a message comprising the         address of the sensor (200) and the generated key for the sensor         (200).     -   NEE9. The sensor (200) according to embodiment NEE8, wherein the         sensor (200) further is configured to:     -   transmit sensor data (250) to the device (102, 500), wherein the         sensor data (250) is transmitted with a sequence number and a         checksum encrypted with the generated key for the sensor (200).     -   NEE10. The sensor (200) according to embodiment NEE9, wherein         the address of the sensor (200) is a Media Access Control, MAC,         address and the encrypted checksum is a keyed-hash message         authentication code, HMAC.     -   NEE11. The sensor (200) according to any of embodiments NEE8 to         NEE10, wherein the sensor (200) further is configured to:     -   store the generated key for the sensor (200) together with the         received identifier of the sensor (200).     -   NEE12. The sensor (200) according to any of embodiments NEE8 to         NEE11, wherein the sensor (200) further is configured to:     -   receive, from the control device (500), a message configuring         the sensor (200) to transmit sensor data (250) periodically to         the device (102, 500).     -   NEE13. The sensor (200) according to any of embodiments NEE8 to         NEE12, wherein the address of the sensor (200) and the key for         the sensor (200) are transmitted to the device (102, 500) using         Near Field Communication, NFC.     -   NEE14. The sensor (200) according to any of embodiments NEE8 to         NEE13, wherein the sensor (200) is used in a Recreational         Vehicle, RV, monitoring and control system.     -   NEE15. A control device (500) for securing communication between         a sensor (200) and a device (102, 500), the control device (500)         being configured to:     -   transmit, to the sensor (200) an identifier of the sensor (200)         and a request for an address of the sensor (200) and a key for         the sensor (200), wherein the identifier of the sensor (200) is         to be related to the address and the key for the sensor (200);         and     -   receive, from the sensor (200), a message comprising the address         of the sensor (200) and the generated key for the sensor (200).

Modifications and other variants of the described embodiments will come to mind to one skilled in the art having benefit of the teachings presented in the foregoing description and associated drawings. Therefore, it is to be understood that the embodiments are not limited to the specific example embodiments described in this disclosure and that modifications and other variants are intended to be included within the scope of this disclosure. Still further, although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. Therefore, a person skilled in the art would recognize numerous variations to the described embodiments that would still fall within the scope of the appended claims. As used herein, the terms “comprise/comprises” or “include/includes” do not exclude the presence of other elements or steps. Furthermore, although individual features may be included in different claims, these may possibly advantageously be combined, and the inclusion of different claims does not imply that a combination of features is not feasible and/or advantageous. In addition, singular references do not exclude a plurality. 

1. A method, implemented by a sensor used in a Recreational Vehicle, RV, monitoring and control system configured to monitor and control functions of a RV, for securing communication between the sensor and a device which is separate and distinct from the sensor, the method comprising: receiving, from a control device, an identifier of the sensor and a request for an address of the sensor and a key for the sensor, wherein the identifier of the sensor is to be related to the address and the key for the sensor; generating, as a response to the received request, the key for the sensor, wherein the generated key is to be used for verifying data integrity of sensor data transmitted from the sensor; and transmitting, to the control device, a message comprising the address of the sensor and the generated key for the sensor.
 2. The method according to claim 1, wherein the method further comprises: transmitting sensor data to the device, wherein the sensor data is transmitted with a sequence number and a checksum encrypted with the generated key for the sensor.
 3. The method according to claim 2, wherein the address of the sensor is a Media Access Control, MAC, address and the encrypted checksum is a keyed-hash message authentication code, HMAC.
 4. The method according to claim 1, wherein the method further comprises: storing the generated key for the sensor together with the received identifier of the sensor.
 5. The method according to claim 1, wherein the method further comprises: receiving, from the control device, a message configuring the sensor to transmit sensor data periodically to the device.
 6. The method according to claim 1, wherein the address of the sensor and the key for the sensor are transmitted to the control device using Near Field Communication, NFC.
 7. A method, implemented by a control device, for securing communication between a sensor and a device which is separate and distinct from said sensor, the method comprising: transmitting, to said sensor an identifier of the sensor and a request for an address of the sensor and a key for the sensor, wherein the identifier of the sensor is to be related to the address and the key for the sensor; and receiving, from said sensor, a message comprising the address of the sensor and the generated key for the sensor.
 8. A sensor, being used in a Recreational Vehicle, RV, monitoring and control system configured to monitor and control functions of a RV, for securing communication between the sensor and a device, the sensor being configured to: receive, from a control device, an identifier of the sensor and a request for an address of the sensor and a key for the sensor, wherein the identifier of the sensor is to be related to the address and the key for the sensor; generate, as a response to the received request, the key for the sensor, wherein the key is to be used for verifying data integrity of sensor data transmitted from the sensor; and transmit, to the control device, a message comprising the address of the sensor and the generated key for the sensor.
 9. The sensor according to claim 8, wherein the sensor further is configured to: transmit sensor data to the device, wherein the sensor data is transmitted with a sequence number and a checksum encrypted with the generated key for the sensor.
 10. The sensor according to claim 9, wherein the address of the sensor is a Media Access Control, MAC, address and the encrypted checksum is a keyed-hash message authentication code, HMAC.
 11. The sensor according to claim 8, wherein the sensor further is configured to: store the generated key for the sensor together with the received identifier of the sensor.
 12. The sensor according to claim 8, wherein the sensor further is configured to: receive, from the control device, a message configuring the sensor to transmit sensor data periodically to the device.
 13. The sensor according to claim 8, wherein the address of the sensor and the key for the sensor are transmitted to the control device using Near Field Communication, NFC.
 14. A control device for securing communication between a sensor and a device, the control device being configured to: transmit, to the sensor an identifier of the sensor and a request for an address of the sensor and a key for the sensor, wherein the identifier of the sensor is to be related to the address and the key for the sensor; and receive, from the sensor, a message comprising the address of the sensor and the generated key for the sensor. 